Re: Safe handling of an SQL query

2012-04-16 Thread Vincent Veyron
Le lundi 16 avril 2012 à 10:45 -0700, Bruce Johnson a écrit : > I'm going to suggest going another direction...what you (and they) want are a > BI system. You can present a set of reports and the system provides for their > ability to do ad hoc reporting and such like. > >

Re: [Fwd: RE: Safe handling of an SQL query]

2012-04-16 Thread demerphq
On 16 April 2012 18:06, Vincent Veyron wrote: > b) You should always keep the control over the selects which are > fired against your db. Otherwise someone can bring down the db > very easy. You might want to look into setting up a slow query killer. Then you dont have to worry about this. Yves

unsubscribe

2012-04-16 Thread Boston, Mike
unsubscribe

unsubscribe

2012-04-16 Thread Mauritz Hansen

unsubscribe

2012-04-16 Thread Mauritz Hansen

Re: Safe handling of an SQL query

2012-04-16 Thread Bruce Johnson
I'm going to suggest going another direction...what you (and they) want are a BI system. You can present a set of reports and the system provides for their ability to do ad hoc reporting and such like.

[Fwd: RE: Safe handling of an SQL query]

2012-04-16 Thread Vincent Veyron
Hi Andreas, I guess you forgot to cc the list. --- Begin Message --- Hi Vincent, just my 2 cents: a) Use a db user only with select rights for this reporting stuff. b) You should always keep the control over the selects which are fired against your db. Otherwise someone can bring down the db v

Re: Safe handling of an SQL query

2012-04-16 Thread Jiří Pavlovský
On 16.4.2012 15:55, Vincent Veyron wrote: My question is : Can I make sure that whatever query is sent to the server, it will only be a SELECT<...> and _never_ a UPDATE or INSERT or DELETE ? In addition to already mentioned approaches you could also have a look at the "ReadOnly" attribut

RE: Safe handling of an SQL query

2012-04-16 Thread Lloyd Richardson
Have your webservice connect to the db as an unprivileged user that has only select privileges. -Original Message- From: Vincent Veyron [mailto:vv.li...@wanadoo.fr] Sent: April-16-12 8:55 AM To: modperl@perl.apache.org Subject: Safe handling of an SQL query Hi Group, I maintain a busi

Re: Safe handling of an SQL query

2012-04-16 Thread Robert Aspinall
I suggest you limit that functionality at the database level. You should be able to make sure their accounts can only perform SELECT queries. This is much safer than attempting to detect malicious/improper SQL. Robert Aspinall NOAA's National Ocean Service CO-OPS/Information Systems Division 13

Safe handling of an SQL query

2012-04-16 Thread Vincent Veyron
Hi Group, I maintain a business application that uses a LAMP stack of Linux + Apache2 + Mod_perl + Postgresql. One recurring problem I have is that each client wants his own set of custom reports using queries from the database. This is currently covered via a table in the database which holds th

RE: highscalability.com report

2012-04-16 Thread Vincent Veyron
Le jeudi 12 avril 2012 à 13:14 -0400, eric.b...@barclays.com a écrit : > Well, finding (good) developers is certainly an issue. > Over the years, I have seen more than one of those being driven out of the field by the inane management that most developers toil under. And considering how demanding